29 July 2005

As the legislation for the ID Theft Bill makes it's way through the full Senate, one has to wonder what will change. What behavior are we trying to influence here?

Approved on a voice vote, the Identity Theft Protection Act requires data brokers, government agencies and educational institutions to disclose security breaches to consumers within 45 days if there is a "reasonable risk" of identity theft involved in the breach.

The evidence of possible identity theft includes such factors as whether the data containing sensitive information is useable by an unauthorized third party and whether the data is in the possession of an unauthorized third party that is likely to commit identity theft.

Under the bill's language, companies and other organizations are required to develop, maintain and enforce a written program for the security of sensitive information. Physical and technological safeguards will be mandated through rules and regulations developed by the Federal Trade Commission (FTC).

Within a year of the passage of the bill, the FTC is required to develop procedures for authenticating the credentials of any third party to which sensitive personal information is to be transferred or sold by a data broker or other organization.

For security breaches involving 1,000 or more consumers, the firms responsible for the breaches must not only notify consumers but also the FTC. The agency, in turn, will post a report of the breach on its Web site without disclosing any sensitive personal data.

For breaches of fewer than 1,000 records that do not create a reasonable risk of identity, the data broker must still notify the FTC.

The real work begins for those institutions who thought they were exempt from regulations like the FTC SafeGuard Rule and the Gramm-Leach-Bliley Act (GLBA). Now they must do what the banks,thrifts and other OCC controlled organizations have been doing for years. Spending more money and resources on Information Security. Sure, human factors will have their toll even on those who have been complying with these laws for years. Bank of America and others have been burned. What is more interesting to see going forward is how the third-party processors and other information supply chain companies will behave, and for that matter, what the largest institutions will do to audit these business partners.

Stealing and selling sensitive information is the work of increasingly criminal organizations, located in countries across the globe. And even in our own back yard here in the United States. Let's just hope that organizations who are taking our sensitive personal identifiable information to verify our identity have the right people, right resources and take this legislation seriously this time.

27 July 2005

The impact of "Whistleblowing" on your organizations ability to detect fraud is only as good as your safeguards for retaliation. Who will step forward if they think that their job or personal safety is at risk? This article by Daniel Westman sums up many of the issues surrounding "Undersight".

Edmund Burke's famous 18th-century dictum encapsulates why compliance efforts cannot rely on written policies or codes of conduct alone. After all, Enron had policies on paper forbidding the practices that brought down the company. Without people willing to report violations of law or codes of conduct, compliance efforts inevitably will be frustrated.

The thesis of this article is that the new civil and criminal whistleblower provisions of Sarbanes-Oxley, coupled with growing acceptance of whistleblowing in both the law and popular culture, may create a climate in which employees more frequently engage in "undersight" to report violations of law or policy. "Undersight" is a term this author has coined to describe corporate employees who witness potential fraud first-hand and voice their concerns, in contrast with "oversight" through which corporate outsiders attempt to detect fraud relying on second-hand information.

Undersight is a culture issue. No one wants to be known as the "Stool Pigeon" or the "Rat" who attempts to undermine the organization with a warning bell about someone or some procedure that is flawed. How you promote the use of "Undersight" in your company begins with management behavior.

To the extent that fear of retaliation has deterred employees from identifying themselves by openly raising concerns, the ability to make anonymous complaints knowing that such complaints must be investigated may encourage whistleblowing. Put differently, before SOX, it may have been easier to rationalize remaining silent based on fears of retaliation. The new stature given to anonymous complaints, however, may give employees greater assurance that their identities will not be discovered, and that their concerns still will be addressed. Thus, a common rationalization for not blowing the whistle may be significantly undermined.

Even as SOX has heightened the issues around detecting and reporting internal fraud by employees, it still may be the external auditors who remain the bad guys. Have you ever made it obvious to an outside auditor that you have a "hunch" or suspect something isn't right? Just remember, you don't have to wait. Audit Committee's are obligated to investigate any anonymous tips, regardless of the outcome.

25 July 2005

At a recent meeting of the ISSA in the Washington, DC area there was much discussion about the governments spending agenda on Information Security. And for good reason.

It seems that the Office of Management and Budget is moving towards a model for procurement that will support the Federal Enterprise Architecture(FEA) E-Gov initiatives. The fear is that Information Security is being put in a "box" for easier and more efficient ordering for federal agencies, except INTEL and DOD. They are not impacted by the latest move to a "Center of Excellence" for InfoSec.

CISO's at these federal agencies are operating with their hands tied in an effort to improve their FISMA grades with declining budgets and line items being moved from their control to the "Center of Excellence".

As a result of the FEA PMO’s analysis of the FY 2006 budget data, OMB established the IT Security Line of Business to propose common solutions and architecture strengthening the ability of all agencies to identify vulnerabilities, defend against threats and manage resulting risks. The FEA PMO will guide this LoB initiative through development of a common solution architecture by:

• Providing initial direction on EA work products (i.e., common solutions and target architecture);• Reviewing EA work products and providing feedback;• Reviewing service components developed by the LoB;• Identifying areas for reuse or standardization across agency architectures; and• Identifying agency movement toward LoB standards and services in their EATransition StrategyThe FEA PMO and the LoB task force will collaborate on identifying potential common solutions (e.g., training/awareness, incident response, certification and accreditation, the selection of security products, reporting, implementation of security configurations, policy and budget coordination, disaster recovery, contingency planning, and access controls), and will identify business processes and systems impacted if a security service is standardized or outsourced.

Use of the FEA Practice and reference models to identify areas for reuse and standardization will result in better and more consistent security management processes and controls across the Federal government.

Has the cost of war finally gotten to the point where we have finally made "Information Security" and "Contingency Planning" a commodity to be put in a box? Not until the agencies are standardized on configurations, hardware/software and other baseline security appliances and applications will you have the ability to do what is initially intended by the initiative. To save money, resources and redundancy.

Information and Physical security is a moving target for a reason. It evolves in response to attackers new tools and exploits probing to find the latest vulnerabilities. We wish the non-INTEL and DOD agencies luck in their new mission to secure their respective enterprises.

22 July 2005

What is TRUST? Can you see it? Can you hear it? Can you feel it? Maybe all of these. But does it live on a dynamic spectrum?

No TrustImplicit Trust

When you trust someone or something, you put "faith" in it. You are more inclined to invest your time and effort to spend time with it and to ensure that it thrives and grows. Because when you move from the far left where "No Trust" exists and move to the right, somewhere along that spectrum trust begins to exist. And it isn't until you get to a point when you never think about it again, that maybe you can say that trust is "Implicit".

As much as President Bush or British Prime Minister Tony Blair say we won't let terrorists change our lives, this could be the start of a new era, and not in a good way. There is something unsettling about the idea of turning America into a nation of snitches and amateur spies. Is the guy taking photos of the George Washington Bridge a terrorist or the next Henri Cartier-Bresson? Are people wandering in front of national monuments scoping out targets or are they tourists? And do you trust the strangers around you to make those judgments based on looks and feelings?

All the same, on the Metro last week, I departed from my usual routine of simply reading the newspaper, or looking over a manuscript, or daydreaming. I found myself glancing up to look at the other passengers and their bags, or to gauge the distance to the stairs, or read the instructions on the emergency exits. Reassuring? Maybe.

In any case, this week you'll be able to find me on the platform waiting for the next train.

Taking risks is about degrees of trust. The amount of risk you decide to accept is directly tied to the degree to which you are willing to trust the entity that you are placing your faith in. Whether it's your spouse, your broker, your boss, your company, your partner, your supplier, your board of directors, your congressman or your government; each entity lives and changes on this spectrum of trust.

20 July 2005

Many enterprises today understands the myriad of potential threats to its people, processes, systems and structures. It stands to be better equipped for sustained continuity. Business Crisis and Continuity Management (BCCM) is a dynamic change management initiative that requires dedicated resources, funding and auditing.

Certainly the largest organizations realize that the risks are taking on different forms than the standard fire, flood, earthquake and hurricane/twister scenarios. These large catastrophic external loss events have been insured against and the premiums are substantial. What it is less easy to analyze from a threat perspective are the constantly changing landscapes and continuity postures of the many facets of the organization having to do with people, processes and systems.

The many sources of significant loss events are changing as we speak. Here are a few that should not be overlooked:

· Public perception

· Unethical dealings

· Regulatory or civil action

· Failure to respond to market changes

· Failure to control industrial espionage

· Failure to take account of widespread disease or illness among the workforce

Frankly, corporate directors have their hands full helping executives managing risk and continuity on behalf of the shareholders. The risk management process will someday have as big an impact on the enterprise as other key functions because shareholders will be asking more questions about the changing landscape of managing risk for corporate governance.

Since effective BCCM analysis is a 24/7 operation, it takes a combination of factors across the organization to provide what one might call C², or “Continuous Continuity”. A one-time threat or risk assessment or even an annual look at what has changed across the enterprise is opening the door for a Board of Directors worst nightmare. These nightmares are “Loss Events” that could have been prevented or mitigated all together.

Most of the best practices talk about a BCCM plan that will be periodically updated. Periodic is not continuous. Change is the key factor here. What changes take place in your organization between these periodic updates? How could any organization accurately account for all the changes to the organization in between BCCM updates? The fact is that they can’t.

This will change over time as organizations figure out that this is now as vital a business component as Accounts Receivable. The BCCM will become a core process of the organization if it is not already, dynamically evolving by the minute as new change-based factors take place in the enterprise. As new or terminated employees, suppliers and partners come and go into the BCCM process, the threat profile is updated in real-time. This takes the operational management that much closer to C², or “Continuous Continuity”.

So what? Boards of Directors have the responsibility to insure the resiliency of the organization. The people, processes, systems and external events that are constantly changing the operational risk landscape become the greatest threat to an enterprise. It’s the shareholders duty to scrutinize which organizations are most adept at “Continuous Continuity” before they invest in their future.

19 July 2005

In a recent banking survey conducted by the Risk Management Association (RMA) on Operational Risk Management, 105 institutions responded. Over one third indicated their greatest risk was "Unauthorized Access" from both insiders and outsiders together with attacks on bank systems.

What was obvious from the survey was that no matter the size of the institution, both Internet and Vendor Risk are pervasive. With banks with assets over $100Bn, the highest risk was ineffective IT planning that aligned investment with business priorities.

It's no wonder that institutions like the National Australia Bank (NAB) and others are losing tens of millions of dollars per year from Internet Banking Fraud.

NAB is losing about A$1 million a month to Internet banking fraud, according to a confidential internal document acquired by Australian newspaper Herald Sun BusinessDaily.

According to the newspaper article, the document was issued to senior technology staff as part of a drive to improve online security and stem a "tide of losses".

The report warns that Internet banking fraud is on the increase with criminals using "increasingly sophisticated" ways of stealing customers' details. The document also claims fraudsters are tricking Web banking customers into becoming couriers and moving stolen funds out of the country.

With two-factor authentication in the wind, it's no wonder you see vendors scrambling for time with bankers CIO's to sway their thinking on the best approach to this business issue.

According to figures from The Australian Bankers Association (ABA), the country's banks lost A$10 million to online fraud last year.

The ABA said in March that Australian banks would introduce an industry standard for two-factor authentication for verifying online banking customers later this year, although each bank is free to choose its own method of secondary identification.

Bank of America has already adopted the PassMark technology. Sitekey is one anti-phishing method that associates an image with an online ID to give the consumer a higher level of assurance that they are logging into the correct site. E-Trade has chosen RSA's technology for their site.

Putting an end to account hijacking is a primary concern of the US FDIC and they welcome your input.

18 July 2005

In the latest issue of Board Member Magazine, Lisa Ferri reminds us of the importance of the risk of Electronic Evidence.

If the only thing better than learning from your mistakes is learning from the mistakes of others, then directors need to take a lesson from Philip Morris. Last year the tobacco giant was slapped with a $2.75 million fine by a federal court. The offense? Wrongful destruction of e-mails, otherwise known in legal circles as spoliation of evidence. The court found that at least 11 Philip Morris executives “at the highest corporate level” were guilty of violating a court order concerning document retention. In other words, they purged and paid the price.

United States of America v. Philip Morris USA Inc., et al. is a cautionary tale of the problems awaiting companies that are either unaware of or unprepared for the world of electronic evidence. The rules governing that world are evolving at warp speed.

In the United States, does an employee need the companies permission to seize your computer at the workplace for electronic evidence? In order to be more informed about this procedure and the legal implications in your enterprise, see CCIPS.

Warrantless workplace searches occur often in computer cases and raise unusually complicated legal issues. The starting place for such analysis is the Supreme Court's complex decision in O'Connor v. Ortega, 480 U.S. 709 (1987). Under O'Connor, the legality of warrantless workplace searches depends on often-subtle factual distinctions such as whether the workplace is public sector or private sector, whether employment policies exist that authorize a search, and whether the search is work-related.

Your compliance or legal office can provide you with the guideance for any employee that is suspected of violating company policies with regard to computers crime or theft of confidential information or intellectual property. The question remains, what policy is in existence today and what methods have been utilized for full disclosure to employees that may impact their rights of privacy on the job?

Just remember, Forensics and gathering electronic evidence in a criminal matter is in opposition to your recovery. Once a violation has occured, you can make changes, clean up the problem and get back to normal or you can preserve the crime scene for evidence. It's one or the other. If it's not, then that is when you run into problems. Document retention strategies in combination with Forensic Digital Discovery procedures are critical to any organization that cares to mitigate the ongoing risks of electronic evidence.

Oil prices rose for a second day, after the US Government said more than half of Gulf of Mexico output remained shut down following Hurricane Dennis. A new storm is approaching the region, raising concern about supply shortages.

Production in the Gulf was 43 per cent of normal at noon New York time yesterday, compared with 4 per cent the previous day, figures from the US Minerals Management Service showed. Tropical storm Emily formed in the Caribbean and next week might reach the gulf, the source of a third of US oil output.

"Now there are worries about this tropical storm, Emily, they're getting all these big storms really quite early in the season," said David Thurtell, commodity strategist at Commonwealth Bank.

"If you get these continued disruptions, then second-half production is going to disappoint."

Insurers and other firms in the financial services sector are at risk if regulators don't allow them to increase premiums. Business could be impacted by those higher premiums or the risk of losing coverage all together.

Last year was difficult for insurers as four major hurricanes in the Southeast triggered about $23 billion in payouts.

In Florida, where insurers paid the most damages from last year's hurricanes, companies have so far had little success in getting regulators to allow higher premium prices.

But another year of hurricanes on par with 2004 could give insurers more leverage in applying for higher premiums, said Mike Paisan, an insurance analyst at Legg Mason in New York.

"If Florida regulators do not allow higher prices, major insurers could threaten to withdraw. Having fewer insurance companies there would definitely raise prices," Paisan said.

The risk of loss from external events such as these are hard to predict, yet easier to prepare for each year. Predictive models are getting better and the largest and most savvy insurers are using them to their benefit. AIR's Catastrophe Models are a prime example.

Lloyd's Loss Modeling Department has licensed AIR Worldwide's catastrophe risk management system to assess the risk from global catastrophes and for the simulation of Realistic Disaster Scenarios (RDS).

RDSs test the ability of the market and individual syndicates to withstand large catastrophes such as a major hurricane hitting the Miami area or a severe earthquake striking downtown Los Angeles. By bringing the AIR models in house, Lloyd's risk management team will have a better understanding of the potential impact of such scenarios. All Lloyd's managing agents are required to complete RDS exercises annually.

In the HealthSouth Corp. fraud trial, the jury made a different decision and the CEO was acquited.

Some lawyers suggested white-collar cases are inevitably difficult to present to jurors, whether they live in Birmingham or New York. "It's different from a drug deal or a bank robbery," said Donald Stern, a Boston attorney who was formerly that city's top federal prosecutor. "It's not obvious that a crime has been committed."

What the Board of Director's and Executive Management do know is that it's time to make some more changes in Corporate Governance initiatives. The relationships with the shareholders is bound to continue to be a challenge for any management team and they realize that they must be creating a culture full of ethics and risk management principles.

At the end of the day it comes down to the evidence presented to the jury. And the evidence is typically a presentation of information utilizing forensic methods of discovery. Dr. Thomas R. O'Connor at NCWC has some interesting background on the subject of Investigative Methods in Forensic Accounting.

Signs of financial crime can be initially detected in a variety of ways -- by accident, by whistle-blowing, by auditors, by data mining, by controls and testing, or by the organization's top management requesting an inspection on the basis of mere suspicion. Ideally, fraud detection ought to be recognized as an important responsibility throughout every organization, and every employee in an organization ought to be familiar with the disciplinary consequences for breach of trust as well as failure to report criminal misdeeds against the organization. On a practical level, however, there are steps to the investigative method used in an organizational context that are far from these ideals, and reaching the "breakthrough" point is more an art than science. It is the purpose of this lecture note to outline the investigative methods and procedures used in most cases.

Red Flags of Organizational Behavior:

1. Unrealistic performance compensation packages -- the organization will rely almost exclusively, and to the detriment of employee retention, on executive pay systems linked to the organization's profit margins or share price.

2. Inadequate Board oversight -- there is no real involvement by the Board of Directors, Board appointments are honorariums for the most part, and conflicts of interest as well as nepotism (the second cousin to corruption) are overlooked.

3. Unprofitable offshore operations -- foreign operation facilities that should be closed down are kept barely functioning because this may be where top management fraudsters have used bribes to secure a "safe haven" in the event of need for swift exit.

4. Poor segregation of duties -- the organization does not have sufficient controls on who has budget authority, who can place requisitions, or who can take customer orders, and who settles or reconciles these things when the expenses, invoices, or receipts come in.

6. Low morale, high staff turnover, and whistleblowers -- Low morale and staff shortages go hand-in-hand, employees feel overworked and underpaid, frequent turnover seems to occur in key positions, and complaints take the form of whistleblowing.

As we move forward on strategies for improving ethics and protecting corporate assets it's clear that educating board members and employees to the symptoms of corporate disease can be a key initiative. That education and awareness program could be the beginning of a whole new era of high performing companies. And for that matter, the programs effectiveness may be the first test of any organizations health.

13 July 2005

In the aftermath of the July 7th London Terrorist Bombings the investigation and forensics are quickly answering our most obvious questions. Who? How? Why?

Yet we must be reminded that fear is an obstacle between us and truly understanding the event. It creates paralysis. It even makes us react in ways that can only be called stupid if we are to improve our safety and security.

The fear is in your mind and not based upon the real risks. Moving beyond fear and making sound decisions for the future involves looking beyond the newspaper headlines. It means looking at the threats and the effectiveness of the countermeasures. Now it means making prudent and logical security trade-offs. Beware of those who may cloak their actions as security-related to terrorism.

Let's not surround ourselves with security countermeasures that makes us have a false sense of security. To invest millions or billions more money in transportation security for the mass transit systems will help deceive us even more. Those who don't understand security or how to make trade-offs spend too much money and resources on countermeasures that don't and won't work.

When a threat is inevitable, focusing on prevention can blind you. Terrorism in the sense we are witnessing in London or Spain or monthly in Israel or Iraq is destined to continue without warning for many decades to come. The brand Al Qaeda is here to stay.

Security is about risk prevention. Safety is protecting assets from unplanned and undetermined actions. Security is for those deliberate and intentional acts such as theft and other criminal attacks. Preventing terrorist acts that are planned and intended to inflict damage, death and destruction is like trying to prevent people from stealing or committing fraud. Countermeasures such as walls, safes, guards, cryptography, ID cards or watermarks are largely ineffective and technology only makes security more complex.

What is changing is the focus on the reality of threats that we can't totally prevent. Bruce Hoffman's article The Logic of Suicide Terrorism sums this up nicely:

Nearly everywhere in the world it is taken for granted that one can simply push open the door to a restaurant, café, or bar, sit down, and order a meal or a drink. In Israel the process of entering such a place is more complicated. One often encounters an armed guard who, in addition to asking prospective patrons whether they themselves are armed, may quickly pat them down, feeling for the telltale bulge of a belt or a vest containing explosives. Establishments that cannot afford a guard or are unwilling to pass on the cost of one to customers simply keep their doors locked, responding to knocks with a quick glance through the glass and an instant judgment as to whether this or that person can safely be admitted. What would have been unimaginable a year ago is now not only routine but reassuring. It has become the price of a redefined normality.

In the United States in the twenty months since 9/11 we, too, have had to become accustomed to an array of new, often previously inconceivable security measures—in airports and other transportation hubs, hotels and office buildings, sports stadiums and concert halls. Although some are more noticeable and perhaps more inconvenient than others, the fact remains that they have redefined our own sense of normality. They are accepted because we feel more vulnerable than before. With every new threat to international security we become more willing to live with stringent precautions and reflexive, almost unconscious wariness. With every new threat, that is, our everyday life becomes more like Israel's.

The bomb sniffing bomb proof bus is coming to Jerusalem soon to augment the human security already present to deter and detect terrorist suicide bombers. All too often, two of the most important questions are forgotten:

1. What new potential security risks does this new solution cause?

2. What new trade-offs and expenses are a result of implementing the new solution?

01 July 2005

CardSystems Class Action law suit has been filed. Let the discovery begin.

ERIC PARKE and ROYAL SLEEPCLEARANCE CENTER, INC., a Californiacorporation, On Behalf Of Themselves, AllOthers Similarly Situated, and in the Interest ofthe General Public of the State of California,Plaintiffs,

A class-action suit has been filed in California against CardSystems, Visa, and MasterCard seeking a declaration that CardSystems violated due standards of care in its data-security methods and that the card companies failed to provide timely notice of the nature and extent to which credit-card data was compromised. According to the lawsuit, CardSystems had been alerted "by other entities" late last year that consumer data had been exposed and failed to take prompt remedial action or notify consumers. The suit alleges that CardSystems violated Visa and MasterCard rules against storing consumer information and also violated the Payment Card Industry Data Security standard by improperly storing credit-card and transaction data, failing to maintain a firewall, failing to restrict access to its computers, and failing to encrypt cardholder data.

The suit charges that MasterCard was remiss in not publicly disclosing the breach until June 17, even though it had been informed by CardSystems of the breach in May and had traced fraudulent incidents back to CardSystems in April.

The legal and regulatory motions are moving towards even more controls to see that banking and other personal information is protected properly. A national law is in the works in the US to try and stem the tide of the ID Theft tidal wave. Who is going to pay for all of this added security and regulation? The consumer is.

The insider case at Bank of America, Wachovia and two other banks -- involving a far smaller number of accounts than the hackers' assault on CardSystems Solutions -- could prove to be far worse for consumers, said Avivah Litan, an analyst with Stamford, Conn.-based Gartner Inc., an information technology research firm.

``It may not be bigger, but that stuff is a lot more dangerous,'' Litan said. ``These are people who have access to a lot more personal information, so it's very serious.''

Wachovia and Bank of America were forced to alert more than 100,000 customers in May after police in New Jersey charged nine people, including seven bank workers, in a plot to steal financial records of thousands of bank customers.

Why try and rob banks or hijack armored car's when you can sell someone's ID and Account Info for $10.00 X 100,000? What we are experiencing is a "Breakpoint" in the system. A point at which all of the rules change. What are the new rules for success going to be moving past this turning point?

At Breakpoint, the rule change is so dramatic that continuing to use the old rules will not work any longer. We have reached a "Breakpoint"!

About

Operational Risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. The definition includes legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of an institutions activities.

"The Only Thing Necessary For Evil To Triumph Is For Good Men To Do Nothing." --E. Burke